UNIX System Administration A Beginner’s Guide PHẦN 7 pps

Without a good grasp of MIBs, it will be difficult touse SNMP tools and software to manage a network effectively.Two object data type classes are defined using ASN.1: ● Universal types ●

Trang 1

standard MIB organization from the root to additional branches The branches

of the tree serve as logical groupings of related objects The leaves, or nodes as

they are often called, represent individual objects Also, subtrees are formed andrepresent both additional intermediate branches and connecting leaves Objectswithin a MIB can be referenced by specifying each of the numeric identifiersstarting with the top of the tree (or root) and proceeding to the individual leaf

or object The root of the branch is commonly written with a “.”(dot)

400 UNIX System Administration: A Beginner’s Guide

Figure 13-2 MIB organization and structure

Hint

Accessing MIBs is similar to referencing files within the UNIX operating system.However, one key difference is that UNIX pathnames can be expressed inabsolute or relative terms MIB objects can only be accessed in an absolutemanner; the relative format is not available

Team-Fly®

Trang 2

For example, Figure 13-2 shows root (.) at the topmost position of the

tree and sysDescr(1) as the leaf The common method of expressing object

identifiers is to use the dotted notation This notation requires that a dot separate

each branch name or identifier Often the root is not expressed, as it is implied

To access the sysDescr(1) object, the fully qualified identifier would be

written as

iso.org.dod.internet.mgmt.mib-2.system.sysDescr

This identifier is read from left to right Objects can also be expressed in a

short form by substituting the branch name with the numeric identifier associated

with each identifier name Thus,

iso.org.dod.internet.mgmt.mib-2.system.sysDescrcan also be expressed as 1.3.6.1.2.1.1.1 These

two expressions are functionally equivalent and reference the same MIB object

By using the structure shown in the figure, an SNMP manager (or MIB

browser tool) can drill down into the MIB in an easy yet concise manner A

MIB browser is a software application that traverses a MIB tree, usually showing

a graphical display ofbranches, leafobjects, and associated values MIB browsers

are great for probing an agent for specific information or learning the structure

and format of new MIBs

Object Types

Within a MIB, different object types represent data structures or values contained

in an agent The objects can represent physical agent attributes, configuration

information, or other data These object types are derived from the Abstract

Syntax Notation (ASN.1) standard rules ASN.1 provides a detailed standard for

the implementation and encoding ofbasic data types that are machine independent

and can be transmitted over the network in an unambiguous way

13 13

Hint

The reason to choose one identifier form over the other is a matter of

preference, although the numeric identifier is much more concise However,

MIB browsers can display MIB objects in either format, thus making it easy to

convert from one format to the other After using SNMP and MIBs for a short

while, you will become familiar with both methods and have the opportunity

to choose which style is best for you

Trang 3

For us to understand network management, we must be able to read andunderstand MIB objects Without a good grasp of MIBs, it will be difficult touse SNMP tools and software to manage a network effectively.

Two object data type classes are defined using ASN.1:

● Universal types

● Application types

The universal class consists of primitive types that can be used to buildadditional data types of objects within a MIB Table 13-1 lists some of theavailable simple data types found in the universal class

Ask the Expert

Question Why are machine independence and unambiguous network transmission important to SNMP or network management? Answer Because network management must address a heterogeneousnetwork environment, a standard way must be provided to ensure thatSNMP messages can be transmitted and understood on different systemsand devices Because various computer platforms store informationdifferently, ASN.1 provides a common format For example, an integer

on one system can be expressed with the most significant digit first,while on others it might be expressed with the least significant digitfirst Also, ASN.1 data types are found in MIBs

Question Why is it so important to learn the MIB details in this module?

Answer The sections in the succeeding modules will focus on usingnetwork management tools that manipulate MIB objects So it seemsreasonable to present the types of objects that might be encountered It

is important that the reader understands the different types of objectsand why values from these objects are in a certain format or structure.Ofequal importance is the access mode ofMIB objects, which isdiscussed in the next section, “Sample MIB Object.”

Trang 4

SNMP derives some application data types from the universal class

type These application types define additional sub-types that can be used to

represent specific values customized for use within the network management

environment Table 13-2 describes some of the application data types presently

available in the application class

13

ASN.1 Data Type Description

INTEGER A data type representing a cardinal number, where no

limitation is made on the level of precision that might be required to represent an integer value.

OCTET STRING A data type representing zero or more octets, where each octet

may take any value from 0 to 255.

NULL A data type meant as a placeholder, but currently not used.

OBJECT IDENTIFIER A data type representing an authoritatively named object that

consists of a sequence of values that specify a MIB tree.

SEQUENCE

SEQUENCE OF

A data type used to denote an ordered list of zero or more elements that contain other ASN.1 types.

SEQUENCE OF contains an ordered list of the same ASN.1 type.

Table 13-1 SNMP Universal Data Types

Counter

Counter32

A data type that represents a non-negative integer that increases until it reaches a maximum value and then resets to zero A counter is an INTEGER that can take a value between 0 and

4294967295 A counter has no defined starting value.

Counter64 Just like a counter object except that a counter64 is an

INTEGER that can take a value between 0 and 18446744073709551615.

DisplayString A data type representing zero or more octets, where each octet

may take any value from 0 to 255 A DisplayString is like an OctetString object.

Gauge

Gauge32

A data type that represents a non-negative integer that may increase or decrease and will trigger at a maximum value.

A gauge is like a counter in every other aspect.

IpAddress Represents an OCTET STRING that has a length of 4 bytes (32 bits)

and where each of the four octets relates to the four bytes of a standard IP address.

Table 13-2 SNMP Application Data Types

Trang 5

Sample MIB Object

MIB objects are important components of network management, and some ofthe modules in this book specifically describe MIB definitions as they relate tosystem agents and network management tools Therefore, when discussingMIBs, the common format shown below will be used:

● Object Name sysDescr

● OID system.1

● Object Type Octet String

● Access Mode read-only

● Status current

● Description A description of the agent device or entity This value should

include the full name, identification of the system, hardware type, operatingsystem, and network software It is mandatory that this object type containonly printable ASCII characters A sample ofthis object includes the followingobtained for a Solaris system: Sun SNMP Agent

This format includes the object name, OID string, object type, access mode,status, and description The object name is the name used when querying anagent for this particular object In this example, the sysDescr object is astring that contains a general description ofthe device or agent containedwithin the device The object identifier string, or OID string, shows whichgroup the object is contained in and its logical position in that MIB hierarchy

Opaque A data type that provides the ability to pass arbitrary information

that uses the OCTET STRING data type.

NetworkAddress Represents an address from one of several network protocol

address standards Presently, it is the same as IpAddress TimeTicks Represents a non-negative integer that counts time in hundredths

of a second since some established epoch TimeTicks is like

a counter in every other aspect.

Table 13-2 SNMP Application Data Types (continued)

Trang 6

In this case, it is the first object in the system group This group can be found

within the standard MIB-II definition

The object type is OctetString and can be as long as 255 characters

Recall that Table 13-2 lists the definitions of these ASN.1 types The access

mode indicates how the manager or other tools may manipulate the object

The status field indicates the current status of the object, for example,

current or historic The current status means that the object is presently

available within the agent as described within the MIB That is, ifthe MIB

represents that agent, then all objects labeled as current will be implemented

within that agent Other values can also be used to indicate additional states of

the objects For example, the obsolete reference indicates that the object is

no longer supported within the MIB The deprecated reference can be used

to aid interoperability with older versions or implementations of the agent

The description field provides an overview of the object, purpose, and a

sample value if appropriate In the above example, when the sysDescr object

is queried, it returns the agent operating system (for example, Solaris), the

hostname the agent resides within (socrates), operating system version

information, and date information

Another way this book describes MIBs is with a hierarchical graph showing

each ofthe objects laid out in a tree structure Figure 13-3 shows the general

format that represents a MIB tree In particular, it shows the MIB-II objects

found under the system group As you can see, the formatting includes the

use ofclosed circles ( ) and closed squares ( ) The squares represent

discrete objects such as INTEGER and OCTET STRING, but not tables or

other groups ofobjects The circles represent groups ofobjects or tables

Also, gray lines and objects that are peripheral further indicate the structure

needed to navigate to the group in question These objects and associated lines

that are ofinterest are drawn in black Included with these objects is the member

index (in parentheses) that shows the relative position of each object within

the tree structure Thus, sysContact(4) is the fourth object within the

systemgroup

13

Hint

It is very common for those new to SNMP to attempt to alter nonwritable

objects In this case, attempting to alter the sysDescr object will cause the

agent to respond with not writable or another error message

Trang 7

SNMP Tables

As noted above, an MIB may contain objects that represent physical characteristics

of a device or other information contained within an agent These objects caneither be in the form of discrete elements (i.e., individual objects like sysDescr)

or, in some cases, two-dimensional tables Tables store related information thatmight contain several instances or copies of an MIB object The best way toillustrate the use of a table is by examining a table within an actual MIB.Defined in the MIB-II standard is the interface group that has the objectidentifier defined as 1.3.6.1.2.1.2 or iso.org.dod.internet.mgmt.mib-2.interface Objects within this group represent physical networkinterfaces and related information installed within a networking device.Performance-related information is also collected and stored within this group.For each interface within a network device, the following information is used

to describe the characteristics of the interface and associated configuration:

● Description General description of the interface

● Type The type of interface, such as Ethernet or token ring

● Mtu The maximum transmission size

Figure 13-3 General MIB format

Trang 8

● Speed The transmission speed of the interface

● Physical address The data link protocol or hardware address

● Administration status The current administrative status of the interface

● Operational status The actual operating status of the interface

● Last change The time when the interface became operational

Additional objects within the table store the following

performance-monitoring information:

● Number of octets (bytes) received or sent

● Number of unicast packets delivered to or sent from higher-level software

● Number of non-unicast packets delivered to or sent from higher-level software

● Number of inbound/outbound packets discarded

● Number of inbound/outbound packets containing errors

● Number of inbound/outbound packets discarded due to bad protocol

● Length of the output packet queue

Figure 13-4 shows the structure of the interface group Tables are used

to contain interface information because networking devices can contain more

than one interface For example, a router or switch device can contain literally

dozens of interfaces, often supporting different network protocols such as Ethernet,

ATM, or FDDI Using a table provides a straightforward and convenient way to

access individual objects within a given interface definition

The interface group includes the ifNumber object, which contains

the total number of network interfaces within the networking device Using the

sample data contained in Table 13-3, the ifNumber value would be 2 In this

case, the device reports two interfaces: one defined as a pseudointerface and the

other defined as an Ethernet It is common for networking UNIX systems to

contain a pseudointerface for internal diagnostic purposes

The rest ofthe interface group consists ofa table called ifTable,

which contains a row for each interface defined within the device This table is

Trang 9

indexed by ifIndex, which contains a value between the range of 1 and thevalue of ifNumber The ifIndex object uniquely addresses each column ofthe table that represents the interface

Table 13-3 shows the entire interface group in the first columnand associated values taken from an actual network device in the remainingcolumns Each row corresponds to each of the specific MIB objects containedwithin the ifEntry table Each ifEntry instance represents an interfacedefined in the table To access the object ifDescr for the first interface, onewould use the following object identifier (OID)

1.3.6.1.2.1.2.2.1.1

Figure 13-4 Interface group from MIB-II

Trang 10

or

iso.org.dod.internet.mgmt.mib-2.interface.ifTable.ifEntry.ifDescr

The ifDescr object provides a general description ofthe interface

The objects starting from IfInOctets to IfOutQLen represent traffic

counters for device interfaces and can be used to measure network and system

performance

13

MIB Objects

IfEntry (1.3.6.1.2.1.2.2.1)

IfEntry (1.3.6.1.2.1.2.2.2)

Table 13-3 Interface Group Instance Table

Trang 11

Accessing Objects

MIB objects are defined with access control information that specifies whatkind of operation can be performed on the object SNMP includes the followingaccess control information for MIB objects:

Accessible-for-notifyobjects are only available via a notification to

a network manager or another agent No direct polling ofthe object is permitted.Read-onlyobjects are not alterable by the network management system, butvalues may be obtained via a get or trap operation

Read-writeaccess is necessary when a particular object must be altered

to accomplish some specific goal or must be configured in a certain way Forexample, it might be necessary to disable a router port due to a large number oferrors detected on one of its interfaces In this case, the network managementsystem must change the operational status of the interface to 0, thus shuttingdown the physical connection until the cause of the errors is determined.Read-createobjects have the same access permission as read-onlyand read-write objects Read-create access is used for objects that may

be created on the fly Such objects may include table row (also called conceptualrow) instances, for example

Standard and Private MIBs

As previously mentioned, MIBs are organized under a hierarchical tree structure,and a number of standard MIBs have been developed and placed under the

TE AM

FL Y

Team-Fly®

Trang 12

mgmt(2)branch Many of these MIBs were developed via the RFC process.

Many different individuals or vendors assisted with their development but don’t

actually own them, nor can they arbitrarily make changes to them However,

many vendors and third-party software developers have developed additional

MIBs to address specific functionality or services for their particular products

Many of these MIBs, known as enterprise MIBs, start under the private(4)

branch of the standard MIB tree Figure 13-5 shows several popular MIBs that

can be found under this branch

The Internet Assigned Numbers Authority (IANA; www.iana.org) maintains

a list of assigned enterprise numbers Those wishing to obtain a number make a

request to this organization and obtain a valid number Table 13-4 shows a small

sample of the numbers that have already been assigned

SNMP Communities

Typically, a network management system will be deployed in a large network

environment that contains a collection of many different groups of networks

and devices Thus, it is reasonable for an enterprise network to be divided into

13

Figure 13-5 Enterprise tree from private branch

Trang 13

zones or communities of users in order to partition responsibility As a result,

a community name can be assigned to a class of devices and provide a securityboundary that helps to implement the desired communities or zones SNMPsupports this kind of security model based on community string information,which is physically added to each device within the selected community Somepractical examples include selecting a community that represents all the Ciscobackbone routers or selecting another community that includes devices in justthe sales department

The current SNMP community-based authentication model is consideredvery weak and poses a significant security problem The major reason is thatolder SNMP versions don’t provide any encryption facilities or other mechanisms

to ensure that the community information is not simply copied from the networkduring an SNMP packet exchange Using a packet capture tool, the entire SNMPpacket could be decoded, thus revealing the community name As a result ofthislimitation, many sites disable set operations to many ofthe agent devices Thishas the unfortunate side effect of limiting SNMP usefulness because it can thenonly monitor object values and not alter them

4475 Rainbow Software Solutions

Table 13-4 Assigned Enterprise MIB Numbers

Trang 14

and on many computer operating systems This popular version, known as

SNMPv1, accounts for a significant portion of the installed base of agents today

Despite its popularity, SNMPv1 has several fundamental problems First, because

it lacks a robust security mechanism, it can’t be used to its full potential

Ask the Expert

Question Why would a change to an MIB object be prohibited?

Answer Certain MIB information will never change during the life

of a product For example, the MIB object sysDescr, which stands

for system description, contains vendor information for the agent An

SNMP manager should not modify this information because it would

disassociate the device with the actual product vendor, thus making

agent identification difficult Also, it can adversely affect the accuracy

of any software-based network inventory mechanisms Another reason

to make objects read-only is to ensure that performance information

or other statistical data remains accurate rather than getting altered

unintentionally

Read-write access is necessary when a particular object must be

altered to accomplish some specific goal or must be configured in a

certain way For example, it might be necessary to disable a router port

due to a large number of errors detected on one of its interfaces In this

case, the network management system must change the operational

status of the interface to 0, thus shutting down the physical connection

until the cause of the errors is determined

Question Why develop enterprise MIBs?

Answer Many vendors do so because they may need specific objects

for their devices that may not be defined or available within the standard

MIBs Also, vendor-specific MIBs don’t need to become standards, since

only that vendor and their customers actually need to use the MIBs It

only makes sense to develop standard MIBs when many vendors can

implement the same collection ofMIBs across a large number of

different devices

Trang 15

As a result, many vendors limit the set operations on agents to minimize

the potential risk of a security breach Second, SNMPv1 doesn’t optimize theprocessing of large amounts of information, thus further restricting the use ofSNMP Third, SNMPv1’s relationship between network manager and agent arewell defined— agents play only a single, simplistic role of accepting commandsfrom more management systems This significantly limits SNMPv1 when smartagents are needed to address specific requirements for distributed networkmanagement functions SNMPv1 also specifies a collection of MIB objectsknown as MIB-II The goal of MIB-II was to provide a collection of objects thatall SNMP agents can support, regardless ofwhich vendor implemented the agent

To summarize, SNMPv1 provides

● Basic network management framework

● Definition of the MIB-II standard

● Descriptions of the Protocol Data Units (PDUs), which include

GetRequest, GetNextRequest, SetRequest, GetResponse, and Trap

● Description of ASN.1 encoding language

To address some of the deficiencies in SNMPv1, a significant amount ofeffort has been made over the past few years to enhance SNMP The first seriesofimprovements came in 1993 when a series of12 RFCs (1441–1452) wasintroduced, proposing to add PDUs and enhancements to the SNMP architectureand security model This collection of RFCs was known as SNMPv2 Classic Atthat time, many users ofSNMP were anticipating these improvements and planned

to implement the new version as soon as it became available

Unfortunately, there was still much debate about SNMPv2 security andremote configuration When it became apparent that not all the original SNMPv2proposals were going to be widely adopted, additional work was done to defineSNMP security and remote configuration management components This led toadditional proposals that included a new protocol and new MIB structure elements(documented in RFCs 1901–1908) These proposals were more popular thanSNMPv2 Classic and became known as community-based SNMPv2 or SNMPv2c.The problem with SNMPv2c was that, though it was endorsed by the IETF, itlacked robust security and administration facilities

Additional improvements to the remote management capability of SNMPv1resulted in proposals known as SNMPv2usec and SNMPv2, documented in

Trang 16

RFCs 1909–1910 and RFC 2222, respectively The SNMPv2usec recommends a

robust security model and administrative framework One of the problems with

SNMPv2usec is that it lacks endorsement of the IETF, which relinquished the

proposal to a nonstandard The major functions of SNMPv2 include

● Expanded data types, such as 64-bit counters

● Improved performance and efficiency with the get-bulk PDU

● Event notification with the inform PDU

● Better error handling

● More efficient row creation and deletion

Finally, in an attempt to reach some agreement between the various remote

management and security proposals, another series of RFCs was written, which

later became known as SNMPv3 These RFCs (2271–2275) have been put forth

by the IETF as Proposed Standards, which means that they are available to the

general public for review and discussion SNMPv3 is SNMPv2c plus provisions

for robust security and administration; it draws upon the SNMPv2c RFCs

(1902–1908) At a high level, the SNMPv3 proposal attempts to

● Put forth a security model based on DES, MD5, and other authentication

protocols

● Define a view-based access control model

● Redefine some of the SNMP concepts and terms

SNMPv3 has enjoyed a certain level ofsuccess in the industry at this point,

but the protocols are still quite new Major networking hardware and software

companies already support SNMPv3 However, SNMPv3 has yet to be deployed

widely within the industry; this is perhaps just a matter of time One of the

major delays for adoption of this new protocol is the cost-to-benefit ratio

For those sites that require better security today, they can upgrade to the new

protocols as vendors make their implementation available However, it may not

be justifiable for everyone to upgrade all existing equipment to support SNMPv3

The most likely approach will be to migrate slowly over time as newer products

that contain SNMPv3 support are deployed Eventually, new products will replace

the older ones, and deploying the new management protocols will simply be

a matter ofconfiguration

Trang 17

SNMP Protocol Operation

An SNMPv1 message contains three major components: a version field, acommunity field, and an SNMP protocol data unit (PDU) field Unlike otherTCP/IP protocols, SNMP packets are not of a fixed length and, instead, rely

on ASN.1 formatting Figure 13-6 shows this basic SNMP packet structureand a description of the fields (and sizes) follows

The format includes field names, shown in bold text, and formatting labels(type), as shown on the top in gray text The type shows the basic format foreach of the fields For instance, the version information is an INTEGER object.The field names are defined as follows:

● version This field indicates which version of the SNMP protocol is beingused Presently, version 1 is the most widely implemented and supportedSNMP protocol

● community name The community is used as the primary securitymechanism to establish authentication from a network manager to agentswithin the SNMP The community name or string is used as a passwordfor access to objects This is based on the condition that the networkmanager knows the agent’s password If the agent has been configured

to emit traps, an authenticationFailure trap is generated when a networkmanager queries an agent with an invalid community string

● protocol data units SNMPv1 PDUs can be one of five different types andconsist of request and response components They include

Figure 13-6 SNMP master/subagent diagram

Trang 18

SNMPv2 defines these additional PDUs:

● GetBulkRequest

● InformRequest

Each of the GetRequest, GetNextRequest, and SetRequest components

elicits from the responding agent a GetResponse that might contain valid data

or an error status

GetRequest

The GetRequest PDU is issued by an SNMP manager or application to obtain one

or more MIB objects from an SNMP agent The fields for this packet type include

● pdu type Indicates the PDU type is a GetRequest

● request-id Unique identifier that permits the SNMP manager to match

paired requests and responses It also aids in detecting duplicate messages

that may be received when using an unreliable transport service

● variable-bindings A list of requested MIB objects

The GetRequest operation is the primary way to obtain information from

agents when the objects in question are known beforehand For example, should

the network manager decide to retrieve sysDescr and sysUpTime objects

from an agent, we can think of the request as simply a function to include

GetRequest (sysDescr, sysUpTime)

In this case, both of these objects are placed within the variable-binding

field when sent The sysDescr object represents a string that contains a

general description of the agent, and sysUptime reflects the amount of time

that an agent has been running

When the agent receives the above message and no errors have occurred, it

will respond with the values ofthe MIB objects requested via a GetResponse

PDU The GetRequest operation is atomic That is, either all the values requested

are returned or no values are returned When the receiving entity responds to

the GetRequest, it includes the values in the GetResponse variable-binding field

If, for some reason, at least one of the values cannot be supplied, no values will

be provided

Trang 19

If the values requested from a manager cannot be returned by the agent, theagent will respond with an error For example, the management system mighthave requested an MIB object that isn’t implemented in the agent In this case,the agent can’t possibly satisfy the request, and thus an error is returned Also,

in certain situations, returning the value of a requested object fails because itmight be too large to be processed by the manager

The variable-bindings field includes a list of objects for which values arerequested When the agent responds via GetResponse, the variable bindingincludes the requested objects and associated values Given the example above,the following GetResponse would be sent by the agent:

GetResponse(sysDescr="3Com Enterprise Monitor", sysUpTime=0000154477)

In this example, the agent is a 3Com enterprise RMON monitor (or networkprobe), as indicated by the sysDescr field This device collects networkperformance and packet contents information for later analysis and reporting.The sysUpTime object contains the amount of time the agent has been up andrunning The value shown in the example indicates that the device was runningfor approximately 15 minutes and 44 seconds

to implement whichever MIBs their devices need Therefore, the networkmanager must discover the supported MIBs by walking the MIB tree in anautomated fashion When the GetNextRequest is sent with a particular object,the GetResponse returns the requested object’s value, plus the instance of thenext lexicographic object in the MIB tree As a result, each GetNextRequest willreveal the next object within the MIB without the manager knowing what thenext object will be The GetNextRequest operation also provides a more efficientmechanism to retrieve objects from an agent than GetRequest because it requiresfewer request/response exchanges

Trang 20

The SetRequest operation is used to alter agent information such as the value of

a MIB object The packet format is the same as GetRequest and GetNextRequest

Unlike GetRequest or GetNextRequest, SetRequest is used to alter the value of

a MIB object As mentioned before, the SetRequest requires security privileges,

which are presently mapped via the community string for the SNMPv1 protocol

Therefore, the agent must validate the SetRequest community string provided

before the operation is permitted The SetRequest is also atomic; either all the

values can be altered or none can If the SetRequest is successful, a GetResponse

is returned and the variable-binding list contains the objects with their new

values This is how the network manager can determine that the set operation

was successful If the SetRequest was unsuccessful, an error is returned in the

GetResponse

Each ofthe SNMP operations, with the exception ofthe trap, receives a

GetResponse from the agent of the GetResponse packet, which includes the

following fields:

● pdu type Indicates the PDU type, which is GetResponse

● request-id Unique identifier that permits the pairing of requests

and responses

● error-status Indicates that an exception condition occurred while

processing the request

● error-index When an error occurs, indicates which object variable in

the variable-binding list caused the error

● variable-bindings A list ofMIB objects that are involved in the operation

Trap

A Trap is an unsolicited message from an agent directed to a network management

station that represents a significant event or condition for which notification

to the manager is considered necessary This type of communication from the

agent is asynchronous as compared to the polling from the manager The Trap

PDU is quite different from that of the other PDUs defined in SNMP Unlike the

13

Trang 21

other SNMP PDUs, Trap does not warrant a response from the receiving network.The fields from a Trap include

● PDU type Indicates that the PDU type is a Trap

● Enterprise Contains the MIB object sysObjectID of the sendingagent The sysObjectID object includes information regarding thevendor of the agent that sent the Trap

● Agent-address Represents the IP address of the sending agent

● Generic-trap One of the predefined Trap values listed in Table 13-5

● Specific-trap More detailed information about the Trap This is usuallyzero unless the generic-trap is an enterpriseSpecific Trap.Enterprise Traps are vendor specific and may contain additional agentinformation about the condition that caused the Trap in the first place

● Time-stamp The amount of time between the generation of the Trap andwhen the device was last initialized, expressed in tenths of a millisecond

● Variable-binding Vendor-specific information related to the Trap.Table 13-5 lists the seven predefined general Trap types TheenterpriseSpecificTrap type is provided as a mechanism to definecustom or proprietary traps that do not fit within the other generic types

ColdStart (0) The device is restarting or reinitializing itself such

that the agent or configuration may be changed Usually, this indicates a crash or other reboot condition.

WarmStart (1) The device is restarting or reinitializing itself

such that no changes are made to the agent or configuration Usually, this implies a simple refresh

or reboot of the operating system environment LinkDown (2) Indicates a failure on one of the device’s

communications (interface) links.

Table 13-5 SNMP Predefined Trap Types

Team-Fly®

Trang 22

This PDU is issued by an SNMPv2 manager or application to minimize network

interaction and permit the agent to return larger packets (as compared to

GetNextRequest or GetRequest), thus improving the efficiency of obtaining a

large number of objects from an agent This uses the same PDU format as most

other SNMPv1 operators The only difference is the renaming of the error-status

and error-index (from the Response PDU) fields to non-repeaters and

max-repetitions, respectively These fields are defined as follows:

● non-repeaters The number of MIB objects that should be retrieved

once at most

● max-repetitions The maximum number of times other MIB objects

should be retrieved

InformRequest

The InformRequest PDU is issued by an SNMPv2 entity acting in a manager role

to another SNMPv2 entity acting in the same role for the purpose of providing

network management information The major function of this PDU is to provide

distributed SNMP management capabilities Thus, an agent can implement this

PDU to provide management-like services and functions The format of this PDU

is the same as for GetRequest and other related PDUs

13 13

LinkUp (3) Indicates that a device’s communication (interface)

link is now up and running.

AuthenticationFailure (4) An authentication or security failure has occurred on

the device Typically, this indicates that an invalid SNMP community string has been used.

EgpNeighborLoss (5) Indicates that External Gateway Protocol (EGP)

neighbor, of which the device is a peer, has been labeled down and the relationship no longer is valid.

EnterpriseSpecific (6) Indicates that some vendor-specific event has

occurred Vendors use this generic trap type to represent their own proprietary traps.

Table 13-5 SNMP Predefined Trap Types (continued)

Trang 23

● SNMPv3 increases security over older standards.

● A trap message can inform a network management station about an unexpected problem that the agent might not otherwise find out about in a timely fashion.

Response Code Description

SNMPv1

tooBig Returned by the agent if the response to a request would be

too large to send.

noSuchName Returned by the agent in either of these two cases: 1) if a set

operation is attempted for an object that is not in the MIB view, or 2) if a set operation is attempted for an object that

is in the MIB view, but its object is read-only.

badValue Returned by the agent that has detected an error in the PDU

variable binding list.

Read-only Returned by the agent.

genError Returned by the agent when processing of a PDU fails for

a reason other than what is listed in this table.

Table 13-6 SNMP Response Codes

Trang 24

Transmission of an SNMP Message

The following series of events occurs when a network manager formulates an

SNMP message:

1.The basic PDU is constructed

2.The PDU is passed to the security service layer if available

Response Code Description

SNMPv2/v3

noAccess The variable is outside the defined MIB view for this operation

to succeed.

notWritable The variable exists within the agent, but the agent is unable to

modify the object.

WrongType The value supplied is of the wrong data type, as defined

by ASN.1.

WrongLength The value supplied is of the wrong length.

WrongEncoding The value supplied was not encoded correctly.

WrongValue The value supplied is not within the range required for the

object type.

NoCreation The object doesn’t exist and the agent is unable to create an

instance of this object.

InconsistentName The object doesn’t exist and the agent is unable to create an

instance of this object because the name is inconsistent with the values of other related objects.

InconsistentValue The object provided is inconsistent with the values of the

managed objects.

resourceUnavailable A needed resource within the agent can’t be reserved to

complete the request.

Table 13-6 SNMP Response Codes (continued)

Hint

These codes are important because they can help you track down problems

and issues when using SNMP agents and tools that communicate with agents

Determining the solution to SNMP problems is aided byknowing these

message codes and understanding the difference between configuration errors

with the agent versus connectivity problems between the manager and agent

Trang 25

3.The protocol layer formats the message, including the version andcommunity information.

4.The entire message is now encoded using ASN.1 rules

5.The message is passed to the transport service so that it will be delivered

to the receiving entity

The following series of events occurs when an agent device receives anSNMP message:

1.A basic check is performed to ensure the message is formatted correctly.The message is discarded if any errors are encountered

2.The protocol version information is verified If there is a mismatch, themessage is discarded

3.The security service attempts to verify the sending entity If this fails,

a trap is generated and the message is discarded

4.The PDU is decoded

5.The PDU is processed

Connectionless Protocol

SNMP is a connectionless protocol, which means that it doesn’t support theconcept of establishing and controlling a dedicated connection like Telnet orFTP SNMP transmits information between an agent and a manager by the useofrequests and return responses This removes the burden from agents ofhaving to support additional protocols and processes associated with connection-based schemes Therefore, SNMP provides its own mechanism to addressreliability and error detection

13.5 Investigate SNMP Master and Subagent

When deploying network management software, it is common to have a singleagent installed on each system that will be managed In the case of networkingdevices such as network routers and switches, usually only a single agent isavailable In either case, the agents will communicate with one or more network

Trang 26

managers using the standard SNMP port of 161 For most needs, a single agent

approach makes sense and is appropriate However, there are instances when

more than one agent is necessary to achieve the desired level of manageability

For example, workstation manufacturers will often provide an SNMP agent

within their operating system In the case ofboth Solaris and HP-UX, the vendor

provides a master agent and one or more subagents A single agent is available

on the Linux platform

Most system agents will usually support a limited number of operating

system functions and parameters If we wish to manage database services on

this same system via SNMP, this will require that we install another agent to

specifically monitor the database functions This poses a problem because both

agents will typically be accessed by the SNMP manager using the same SNMP

standard port Further, when the agents are started by the system, the first agent

will start and open the port 161 and will operate normally However, when the

second agent starts and attempts to do the same, it will get an error stating that

the port is busy and it should abort operation

Two possible approaches can be taken to address this port contention problem

First, one ofthe agents can be configured to use an alternative port instead ofthe

standard 161 This solution will work ifthe agent can be made to support another

port when it is started by the system Many system agents do support alternative

ports, but this is by no means the rule The major drawback to this solution is

that any SNMP managers used to poll the agent must now be configured to use

this new port as well This doesn’t pose a significant problem when only a small

number of nonstandard ports are used However, if this solution is used on a

large scale—say, with many agents using all nonstandard ports across a large

number of systems—the approach loses its appeal because of the administrative

burden it introduces

The other solution might be considered more elegant because it involves

using a master agent and one or more subagents A master agent solves the port

conflict problem by becoming the keeper of the standard SNMP port and forwards

all the SNMP traffic to the appropriate subagent Subagents are normal SNMP

agents, but they are registered with the master agent and assigned nonstandard

ports that are used to communicate with the master agent SNMP messages from

managers are sent to the master agent, who in turn delivers the messages to the

correct subagent using the port it assigned to the subagent Figure 13-6 shows a

diagram of the master/subagent architecture One major benefit of this solution

is that it alleviates the administration task of modifying the SNMP managers

13

Trang 27

cited in the first solution Also, this solution can scale very well because newsubagents can be added in a straightforward manner

On the negative side, the master agent can pose a problem because it can crash

or otherwise become inoperative This would have the adverse effect of disablingthe connectivity to all the subagents Because this particular problem can besaid ofother software systems as well, the risk (although not zero) isn’tnecessarily a significant factor Also, because the master agent is responsiblefor delivering the SNMP to the appropriate subagent, it takes a certain amountofprocessing time and overhead This might be a factor in time-criticalmanagement functions

Trang 28

Mastery Check

1.Which MIB object class consists of primitive types that can be used to

build additional data types of objects?

2.Which SNMP function notifies a network management system of a special

condition or problem without the management system specifically requesting

3.Which class does the IpAddress data type belong to?

4.Which of the following elements does SNMPv1 not provide?

A.Basic network management framework

B.Robust security model

C.Definition of the MIB-II standard

D.Description of ASN.1 encoding language

5.What are the three main components of a SNMPv1 message?

6.In the MIB hierarchical tree structure, the represent

individual objects

7.What type of objects are not alterable by the network management system,

but allow their values to be obtained with a get operation?

A.Not-accessible

B.Accessible-for-notify

C.Read-only

D.Read-write

Trang 29

8.What does an SNMP manager or application issue to obtain one or moreMIB objects from a SNMP agent?

9.What does an SNMP manager or application issue to obtain a MIB objectfrom a SNMP agent when the structure of the MIB tree is unknown?

10.Match each of the data types in the first list (A-D) with its descriptionfrom the second list (i-iv):

ii.A data type representing a cardinal number

iii.A data type meant as a placeholder, but currently not used

iv.A data type representing an authoritatively named object that consists

of a sequence of values that specify a MIB tree

11.Which of the following is information that would be contained in an SNMPtable for each interface within a network device to describe the nature of theinterface and associated configuration? (choose all that apply)

Mastery Check

Trang 30

13.What might you assign to a class of devices to provide a security boundary

for a desired group of devices?

A.Boundary name

B.Community name

C.Security model

D.Encryption facilities

14.Which SNMP operation doesn’t receive a GetResponse from the agent?

15.Which SNMPv2 operation helps minimize network interaction and permits

the agent to return larger packets relative to GetRequest or GetNextRequest?

16.What response code will an SNMPv2 agent receive if the object doesn’t

exist and the agent is unable to create an instance of this object?

Mastery Check

Trang 31

This page intentionally left blank.

Team-Fly®

Trang 32

Module 14

Using the Domain

Name System

Critical Skills

Trang 33

One major issue with TCP/IP networking is how to provide mappingsbetween system names and their corresponding network addresses.UNIX provides several ways to facilitate the mapping between hostnamesand IP addresses.

14.1 Discover How the

Domain Name System Works

First, the traditional method involves the use of the /etc/hosts file

When a network application wishes to resolve a name, it invokes a standardlibrary routine that looks up the name from this file The file provides simplemappings of hostnames on the local level; this particular method has severalproblems The chief issue is that it doesn’t scale well; in other words, it would

be impossible for the system administrator to maintain an /etc/host filethat contains all the possible systems that one would need When the Internetwas much smaller, it used the /etc/host file approach for name resolution.However, because ofoperational problems it became clear that anothermechanism was needed

The second approach is to use Network Information Services (NIS) Today,this method is deployed within many companies, largely to handle internalname resolution for a company This approach, too, suffers from the same basicproblem as /etc/hosts—scalability NIS doesn’t provide for host resolutionfor a significant number of hosts, such as that contained on the Internet.The third method uses DNS for name resolution DNS provides a hierarchicalnamespace that contains domains, subdomains, and hostnames A domain is acollection or grouping of hostnames strategically defined within the namespace

so that no conflicts arise among different domains For example, it is possiblethat two different companies may have picked identical hostnames for some

of their systems However, this doesn’t represent a problem because the bothcompanies are in different domains; thus, the system name overlay is negated.The Domain Name System (DNS) provides a very critical element for theInternet—it provides mappings between hostnames and their correspondingInternet Protocol (IP) addresses For example, when the URL of the form

Trang 34

http://www.whitehouse.govis entered within a Web browser, the

browser in turn requests the IP address of this host from a DNS server in order

for the communication between the user’s system (browser) and the remote

Web site to commence Why does the browser do this? Because communication

between systems on the Internet, for example, must use an Internet Protocol

address This is true for any TCP/IP network and must include the use of IP

addresses when specifying systems The term that refers to converting from

a hostname to an IP address is known as host resolution and is completely

transparent for the user The DNS system available on most UNIX versions is

known as the Berkeley Internet Name Domain (BIND) package and is used

quite extensively on the Internet BIND has been placed in the public domain

and is freely available at www.isc.org This module is based on the BIND

version of DNS

The DNS namespace can be clearly explained by using an inverted tree

structure, which is similar to a UNIX file system The UNIX file system starts

at the base or root, which is represented with a leading “/” Within DNS, a

dot “.” is used to represent the base of the tree Figure 14-1 shows a sample

of the DNS namespace As you can see from the figure, several of the common

DNS domains are defined that include edu, com, and net These are known

as “top level” or root domains, and any objects defined below these top levels

are known as subdomains The placement ofcompanies, corporations, or

institutions largely depends on the type of business the organization is engaged

in For instance, if a university called Zippy wants to join the Internet, a new

subdomain called zippy will be defined under the edu domain because it is an

education establishment Standard DNS domains are listed in Table 14-1

14

Figure 14-1 DNS namespace

Trang 35

Note that two systems have been assigned the name socrates; one in theedudomain and the other in the com domain This is a perfectly acceptableand reasonable thing to do; that is, there is no conflict The UNIX file systemworks the same way; two files with the same name can be defined within twodifferent directories One reads or interprets a domain and hostname in theopposite order as a UNIX file and pathname—from right to left For example,the host

socrates.mis.zippy.edu

reads as follows: within the edu root domain, an organization called zippydefines a subdomain called mis, which contains a host called socrates TheDNS character separator is the dot (“.”), and a dot is implied after each top-leveldomain However, in practice the rightmost dot is not used

DNS consists of two major elements: the server and the client The serverprovides DNS services to one or more client systems Whenever the client mustobtain the IP address of a host, it makes a request to a DNS server The serverresponds with a valid answer and the client continues to process the transaction.Typically, several servers are deployed so that should a failure occur with aparticular DNS server, other backup systems will respond to the client request.This approach works well and provides a reasonable amount of fault tolerance

Domain Purpose

edu Educational: universities, colleges, prep schools, etc.

com Institutions and other organizations that engage in commercial activities gov Government organizations and institutions

int International organizations

mil Military organizations or those that work with such organizations net Internet service providers and other network support centers

org Organizations that are noncommercial in nature, such as a nonprofit

institution country code Each country code based on geographic location

Table 14-1 Top-Level DNS Domains

Định dạng
Số trang	70
Dung lượng	912,91 KB